From: Lars Ingebrigtsen <larsi@gnus.org>
To: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Cc: 15057@debbugs.gnu.org, 16253@debbugs.gnu.org,
Roland Winkler <winkler@gnu.org>,
11267@debbugs.gnu.org, Tassilo Horn <tsdh@gnu.org>
Subject: bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).
Date: Mon, 10 Feb 2014 21:09:25 -0800 [thread overview]
Message-ID: <87ppmup75m.fsf@building.gnus.org> (raw)
In-Reply-To: <87d2iv8ck8.fsf@lifelogs.com> (Ted Zlatanov's message of "Mon, 10 Feb 2014 05:52:23 -0500")
Ted Zlatanov <tzz@lifelogs.com> writes:
> LI> But aren't there lots of (or some) servers that only supports DHE and
> LI> not ECDHE?
>
> There's no way to know until you connect, that's the heart of the
> problem. So IIUC you'd have to either be potentially insecure all the
> time (DHE enabled) or potentially fail connecting to some servers.
I thought TLS worked like this:
1) You connect to a server.
2) A server says what encryption methods it supports
3) You choose one, and start talking in that method.
So things like browsers have a pre-defined list of methods, in
descending order of what they consider "more safe", so that ECDHE is
used if available, etc.
> I think the latter is the better option as a default, as long as we make
> it clear (not in a *GnuTLS log* buffer but with `message' so it shows up
> in the echo region and in STDERR in batch mode) that
>
> * the connection was rejected because the remote requires a lower level
> of security
I've basically never ever seen Firefox say "you can't talk to this
server, because the TLS is too weak". Neither should Emacs.
(Emacs, being Emacs, might offer as an option a way to restrict all TLS
connections to a smaller set of algorithms/levels, but that should not
be the default.)
> * how to try allowing the less-secure connection (perhaps a simple
> command to automate this, or even a clickable button, would be nicer
> than asking the user to `customize-variable'). The original discussion
> sort of settled on magically reopening the connection with less security
> but I think that might be a disservice to the users.
We would always try to get the most secure TLS connection possible, so I
don't quite understand "reconnect"...
> * why it's smarter to ask the server admin to upgrade their TLS
> implementation
>
> Fitting all of that in a short readable message might be a challenge,
> hence the button suggestion, but that's not ideal either.
If the user has explicitly said "don't talk unless it has teh haxors
leet mode", then that's not necessary, I would have thought.
But I might be misunderstanding the problem completely. >"?
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog http://lars.ingebrigtsen.no/
next prev parent reply other threads:[~2014-02-11 5:09 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-09 8:52 bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits Tassilo Horn
2013-08-11 20:03 ` Lars Magne Ingebrigtsen
2013-10-07 22:27 ` Ted Zlatanov
2014-01-31 0:46 ` Lars Ingebrigtsen
2014-02-10 2:15 ` Ted Zlatanov
2012-04-17 21:14 ` bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough) Roland Winkler
2012-04-18 16:48 ` Glenn Morris
2012-04-19 11:04 ` Roland Winkler
2012-04-19 16:19 ` Glenn Morris
2012-04-19 16:26 ` Lars Magne Ingebrigtsen
2012-04-19 16:31 ` Glenn Morris
2012-04-19 16:41 ` Roland Winkler
2012-04-24 12:45 ` Ted Zlatanov
2012-04-24 20:04 ` Roland Winkler
2012-05-13 19:04 ` Lars Magne Ingebrigtsen
2012-05-15 8:24 ` Ted Zlatanov
2012-05-15 15:16 ` Chong Yidong
[not found] ` <mailman.1129.1337070368.855.bug-gnu-emacs@gnu.org>
2012-05-18 11:38 ` n.mavrogiannopoulos
2014-02-10 2:39 ` Ted Zlatanov
2014-02-10 3:06 ` Roland Winkler
2014-02-10 8:28 ` Nikos Mavrogiannopoulos
2014-02-10 2:58 ` bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits Lars Ingebrigtsen
2014-02-10 10:52 ` bug#11267: bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits, bug#11267: 24.0.95; gnutls.c: [0] (Emacs) fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough) Ted Zlatanov
2014-02-11 5:09 ` Lars Ingebrigtsen [this message]
2014-02-11 10:35 ` Nikos Mavrogiannopoulos
2014-02-11 14:21 ` bug#16253: bug#11267: " Ted Zlatanov
2014-02-11 22:49 ` Roland Winkler
2014-02-11 23:54 ` Ted Zlatanov
2014-02-12 4:30 ` bug#15057: " Lars Ingebrigtsen
2014-02-12 17:11 ` Ted Zlatanov
2014-02-12 4:29 ` Lars Ingebrigtsen
2014-12-08 19:43 ` bug#15057: 24.3.50; TLS error with reasonably high gnutls-min-prime-bits Lars Magne Ingebrigtsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ppmup75m.fsf@building.gnus.org \
--to=larsi@gnus.org \
--cc=11267@debbugs.gnu.org \
--cc=15057@debbugs.gnu.org \
--cc=16253@debbugs.gnu.org \
--cc=n.mavrogiannopoulos@gmail.com \
--cc=tsdh@gnu.org \
--cc=winkler@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.